Author
Message
totaluser DD-WRT User Joined: 31 May 2010 Posts: 128
Posted: Fri Jun 10, 2011 20:59 Post subject: help me make my IPv6 firewall bulletproof
Hello everybody,
I recompiled kernel modules for my DD-WRT router and among a few other applications I recompiled iptables 1.4.10 as well
what I want to achieve
-> I want to be able to use IPv6 on LAN for general browsing and such usage (permit communication from LAN to WAN and return connections only)
-> I don't want to open any holes in my FW yet (I don't need port forwarding)
-> I don't want my LAN to be accessible from the Internet
-> I want to be able to ping IPv6 addresses from my LAN to the Internet
-> I want to be able to ping IPv6 addresses from my router to the Internet
-> I don't want anybody on the Internet to be able to ping my WAN IPv6 address or anything behind my router
generally since there is no NAT with IPv6 I want to create a NAT-like firewall solution -- unles the specific port is opened, nothing behind my router is accessible
after hours of googling and trial&error approach I put together this
(VLAN2 is my WAN facing interface
BR0 os my LAN facing interface)
Code: /tmp/iptables/sbin/ip6tables -L
/tmp/iptables/sbin/ip6tables -F
/tmp/iptables/sbin/ip6tables -P INPUT DROP
/tmp/iptables/sbin/ip6tables -P OUTPUT DROP
/tmp/iptables/sbin/ip6tables -P FORWARD DROP
/tmp/iptables/sbin/ip6tables -I INPUT -p icmpv6 -j ACCEPT
/tmp/iptables/sbin/ip6tables -I INPUT -i vlan2 -p tcp --syn -j DROP
/tmp/iptables/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/tmp/iptables/sbin/ip6tables -A INPUT -i vlan2 -d 2000::/3 -m state --state RELATED,ESTABLISHED -j ACCEPT
/tmp/iptables/sbin/ip6tables -A INPUT -i br0 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A FORWARD -m state --state NEW -i br0 -o vlan2 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A FORWARD -i br0 -s 2000::/3 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A FORWARD -i vlan2 -d 2000::/3 -m state --state RELATED,ESTABLISHED -j ACCEPT
/tmp/iptables/sbin/ip6tables -I FORWARD -p icmpv6 -j ACCEPT
/tmp/iptables/sbin/ip6tables -I FORWARD -i vlan2 -p tcp --syn -j DROP
/tmp/iptables/sbin/ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
/tmp/iptables/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
/tmp/iptables/sbin/ip6tables -A OUTPUT -o vlan2 -s 2000::/3 -j ACCEPT
it allows me to browse IPv6 internet (e.g. ipv6.google.com) and ping IPv6 sites
I am afraid that enabling ICMPv6 globally is like opening a door to my network
another question is that if I should be more specific and use my /64 LAN subnet instead of 2000::/3
Security guys, thank you very much in advance
Back to top
Sponsor
slobodan DD-WRT Guru Joined: 03 Nov 2011 Posts: 1555 Location: Zwolle
Posted: Sun Jan 22, 2012 20:08 Post subject:
Your script is great, but I'm afraid you're IPv6 pingable from outside. You can verify this with http://www6.ipv6.chappell-family.com/cgi-bin6/ipscan-js.cgi (IPv6 firewall tester).
I would suggest replacing the icmpv6 FORWARD line with:
Code: ip6tables -I FORWARD -p icmpv6 -j DROP
But in this case you lose the ability to ping6 and traceroute6.
Of course, if all your devices attached to the router drop ping6 by default, then there is no need to worry too much about that.
If you want to disable ping6 to the router, change three lines to:
Code: ip6tables -I INPUT -p icmpv6 -j DROP
ip6tables -I FORWARD -p icmpv6 -j DROP
ip6tables -I OUTPUT -p icmpv6 -j DROP
For me the later is not an option, since aiccu wants the router to remain pingable via IPv6. _________________ 2 times APU2 Opnsense 21.1 with Sensei
2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)
3 times Asus RT-N16 shelved
E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)
3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)
Back to top
totaluser DD-WRT User Joined: 31 May 2010 Posts: 128
Posted: Sun Jan 22, 2012 20:25 Post subject:
I checked it on that site with my phone and my desktop and on both I am getting everything green.
STLTH , ECHO NO REPLY
also my hosts on LAN are not pingable from the Internet
though I am currently using this FW script
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -I INPUT -i vlan2 -p tcp --syn -j DROP
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -I INPUT -i vlan2 -d MY_IPv6_HERE -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i vlan2 -d MY_IPv6_HERE -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i br0 -j ACCEPT
ip6tables -I INPUT -i br1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j LOG --log-prefix " [ INPUT ICMPv6 ] : "
ip6tables -A INPUT -j LOG --log-prefix " [ INPUT IPv6 ] : "
ip6tables -I FORWARD -m state --state NEW -i br0 -o vlan2 -j ACCEPT
ip6tables -I FORWARD -m state --state NEW -i br1 -o vlan2 -j ACCEPT
ip6tables -I FORWARD -i br0 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i br1 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i vlan2 -d 2000::/3 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i vlan2 -p tcp --syn -j DROP
ip6tables -I FORWARD -i br0 -o br1 -j ACCEPT
ip6tables -I FORWARD -i br1 -o br0 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j LOG
ip6tables -I OUTPUT -o lo -j ACCEPT
ip6tables -I OUTPUT -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -o vlan2 -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j LOG --log-prefix " [ OUTPUT ICMPv6 ] : "
Back to top
slobodan DD-WRT Guru Joined: 03 Nov 2011 Posts: 1555 Location: Zwolle
Posted: Sun Jan 22, 2012 21:59 Post subject:
That's even better.
I added the following line in order to allow the router to send IPv6 ECHO:
Code: ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
However, in respect to logging the icmpv6, I got the following error:
ip6tables: No chain/target/match by that name _________________ 2 times APU2 Opnsense 21.1 with Sensei
2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)
3 times Asus RT-N16 shelved
E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)
3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)
Back to top
totaluser DD-WRT User Joined: 31 May 2010 Posts: 128
Posted: Sun Jan 22, 2012 22:14 Post subject:
it depends on which modules you are using with ip6tables
I compiled them myself and created custom image
-rwxrw-rw- 1 root root 13053 Jun 9 2011 ip6_queue.ko
-rwxrw-rw- 1 root root 17550 Jun 9 2011 ip6_tables.ko
-rwxrw-rw- 1 root root 12454 Jun 9 2011 ip6t_LOG.ko
-rwxrw-rw- 1 root root 3444 Jun 9 2011 ip6t_ah.ko
-rwxrw-rw- 1 root root 3180 Jun 9 2011 ip6t_eui64.ko
-rwxrw-rw- 1 root root 3178 Jun 9 2011 ip6t_mh.ko
-rwxrw-rw- 1 root root 5224 Jun 9 2011 ip6table_filter.ko
-rwxrw-rw- 1 root root 5451 Jun 9 2011 ip6table_mangle.ko
-rwxrw-rw- 1 root root 4008 Jun 9 2011 ip6table_raw.ko
if you don't have the module for LOGging, you cannot obviously log
ip6tables will with without it but without logging capability
Back to top
slobodan DD-WRT Guru Joined: 03 Nov 2011 Posts: 1555 Location: Zwolle
Posted: Sun Jan 22, 2012 23:50 Post subject:
Ok, now it works with the following script:
Code: ip6tables -F
ip6tables -X
ip6tables -Z
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I INPUT -i sixxs -p tcp --syn -j DROP
ip6tables -I INPUT -i lo -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_HERE -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_HERE -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_NET_PREFIX::/64 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i sixxs -d MY_IPv6_NET_PREFIX::/64 -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -i br0 -j ACCEPT
# ip6tables -I INPUT -i br1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 129 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 130 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 131 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 132 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j LOG --log-prefix " [ INPUT ICMPv6 ] : "
ip6tables -A INPUT -j LOG --log-prefix " [ INPUT IPv6 ] : "
ip6tables -I FORWARD -m state --state NEW -i br0 -o sixxs -j ACCEPT
# ip6tables -I FORWARD -m state --state NEW -i br1 -o sixxs -j ACCEPT
ip6tables -I FORWARD -i br0 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i br0 -s MY_IPv6_NET_PREFIX::/64 -j ACCEPT
# ip6tables -I FORWARD -i br1 -s MY_IPv6_HERE -j ACCEPT
ip6tables -I FORWARD -i sixxs -d MY_IPv6_HERE -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I FORWARD -i sixxs -d MY_IPv6_NET_PREFIX::/64 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i sixxs -p tcp --syn -j DROP
# ip6tables -I FORWARD -i br0 -o br1 -j ACCEPT
# ip6tables -I FORWARD -i br1 -o br0 -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j LOG
ip6tables -I OUTPUT -o lo -j ACCEPT
ip6tables -I OUTPUT -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -o sixxs -s MY_IPv6_HERE -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -s MY_IPv6_NET_PREFIX::/64 -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -o sixxs -s MY_IPv6_NET_PREFIX::/64 -m state --state NEW,ESTABLISHED -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o sixxs -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o sixxs -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br0 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br0 -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 128 -o br1 -j ACCEPT
# ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -o br1 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 134 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 136 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 143 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j LOG --log-prefix " [ OUTPUT ICMPv6 ] : "
_________________ 2 times APU2 Opnsense 21.1 with Sensei
2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)
3 times Asus RT-N16 shelved
E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)
3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)
Back to top